Phishing Click Rate: Industry Benchmarks and How to Reduce It
Is your click rate at 15%? Discover phishing benchmarks by industry and the methodology to get below 2% in 3 months.
What is an acceptable phishing click rate for your company? If you don't know the answer, you're not measuring your human risk. And if you're not measuring it, you can neither manage it nor reduce it.
The click rate on phishing simulations is the most direct key performance indicator (KPI) of cybersecurity awareness. It's the number your executive committee asks for, your auditors verify, and your cyber insurer demands. Yet most CISOs at SMBs have no industry benchmark to put their results in context. Is a 12% click rate good or disastrous? The answer depends on your industry, your maturity level, and the difficulty of your simulations.
This article provides phishing benchmarks by industry based on data from the leading market reports, a hands-on methodology to go from 16% to under 2% click rate, and the additional KPIs you should be tracking beyond the simple click rate.
What Is the Phishing Click Rate and How Do You Measure It?
Definition
The phishing click rate measures the percentage of employees who click on a link in a simulated phishing email during an awareness campaign.
Formula:
Click rate = (Number of clicks / Number of emails delivered) x 100
If you send a simulation to 200 employees and 30 click the link, your click rate is 15%.
How It Differs from Other Metrics
The click rate is just one of several metrics from a phishing simulation. Here are the main ones and what they measure:
- Open rate: % of employees who open the email. Unreliable as a risk indicator because opening an email is not dangerous in itself.
- Click rate: % of employees who click the phishing link. This is the primary indicator of human risk.
- Submission rate: % of employees who enter their credentials on the fake phishing page. More serious than a click, because it implies actual credential compromise.
- Reporting rate: % of employees who report the email as suspicious. This is the maturity indicator, which we will cover in detail below.
Why It Is THE Proxy for Human Risk
82% of data breaches involve the human element (Verizon DBIR 2025). The phishing click rate is the most direct and measurable proxy for this vulnerability. A 20% click rate concretely means that in a real phishing campaign, 1 in 5 employees would potentially compromise the company. For the full picture of phishing statistics in France: Phishing in business: 2026 statistics.
How to Measure Correctly
To make your benchmarks comparable, standardize your simulation conditions:
- Don't announce it: an announced simulation measures nothing.
- Consistent difficulty: compare simulations of equivalent difficulty against each other.
- Staggered sending: don't send to all employees simultaneously (word-of-mouth effect).
- Measure over 48 hours: after 48 hours, clicks are no longer significant.
- Exclude absentees: only count emails that were actually delivered.
Benchmarks by Industry
Here are consolidated data from the Proofpoint State of the Phish 2025 report, the KnowBe4 2025 industry benchmarks, and the Verizon DBIR 2025 report. These figures represent averages observed across standard-difficulty campaigns (generic, non-personalized phishing).
| Industry | Average click rate (no training) | Click rate (after 12-month program) | Improvement |
|---|---|---|---|
| Finance and banking | 18% | 3.2% | -82% |
| Healthcare | 25% | 4.8% | -81% |
| Technology and SaaS | 12% | 1.5% | -87% |
| Manufacturing and industrial | 22% | 5.1% | -77% |
| Professional services | 16% | 2.8% | -82% |
| Retail and distribution | 20% | 4.2% | -79% |
| Education | 28% | 6.5% | -77% |
| Public administration | 24% | 5.8% | -76% |
| Insurance | 15% | 2.4% | -84% |
| Transportation and logistics | 21% | 4.6% | -78% |
Sources: Proofpoint State of the Phish 2025, KnowBe4 Phishing Industry Benchmarking Report 2025, Verizon DBIR 2025. Rounded averages.
Is your industry above 20%? Measure your team's actual rate - results in 48 hours.
Analysis by Industry
Why are healthcare and education the most vulnerable? These two sectors share several risk factors: a heavy workload that reduces vigilance, high turnover that dilutes training effects, and a digital culture that is often less developed. According to Proofpoint, the healthcare sector shows the highest initial click rate because healthcare professionals work under constant pressure and handle a massive volume of urgent emails: exactly the context attackers exploit.
Why does tech perform better? Technology companies benefit from a pre-existing awareness culture, employees who are familiar with digital threats, and often more mature security programs. The initial 12% click rate is already below the cross-industry average (around 20%). After training, tech reaches 1.5%: the benchmark for excellence.
Public administration: a special case. With an initial rate of 24% and a post-training rate of 5.8%, the public sector improves its results but remains above average. Budget constraints, lengthy procurement processes, and organizational resistance to change slow down the deployment of effective programs. That said, the NIS2 directive now imposes the same training obligations on essential public entities as on the private sector. See our NIS2 guide for SMBs for full details on these requirements.
Finance and insurance: rapid progress. These sectors are heavily regulated (SOC2, DORA, NIS2) and the potential fines create an urgency that accelerates adoption. Result: improvements of 82 to 84% after 12 months of a structured program.
The 4 Factors That Influence Click Rate
Your click rate doesn't depend solely on the "quality" of your employees. Four external factors significantly influence it, and understanding them allows you to interpret your results correctly.
1. Scenario Difficulty
This is the most decisive factor. According to KnowBe4 2025 data, the difference in click rate between generic phishing (e.g., "your package is waiting") and personalized spear phishing (CEO's name, reference to an internal project) is 10 to 15 percentage points. An 8% click rate on a difficult scenario is better than a 4% click rate on an easy one.
Practical implication: your internal benchmarks should compare simulations of equivalent difficulty. Increase difficulty gradually to test real reflexes, but don't compare a spear phishing result to a generic phishing result.
2. Training Frequency
According to the SANS Security Awareness Report 2025, simulation frequency has a direct and measurable impact on click rate:
- Monthly simulations: average 75% reduction in click rate after 12 months
- Quarterly simulations: 50% reduction
- Single annual simulation: 15 to 20% reduction (virtually no effect after 6 months)
Without regular reinforcement, skills acquired in training erode within a few months (USENIX Security 2020). Only repetition permanently anchors the right reflexes. To build a complete program, see our cybersecurity training guide for SMBs.
3. Company Culture
Companies that adopt a punitive approach ("name and shame," sanctions, posting names) paradoxically achieve worse results than those that foster a reporting culture.
According to Proofpoint, companies without a punitive policy have a reporting rate 3 times higher than those that penalize failures. And an employee who reports a real threat protects the entire company: that is far more valuable than a 1% click rate if nobody reports anything.
4. Program Maturity
The time factor is often underestimated. KnowBe4 data shows a clear progression based on how long the program has been running:
- Program < 6 months: average click rate of 12-18%
- Program 6 to 12 months: click rate of 4-8%
- Program 1 to 2 years: click rate of 2-4%
- Program > 2 years: click rate < 2%
If your program is recent, a high click rate is normal. What matters is the trend, not the absolute value.
Realistic Targets by Phase
Here is a progressive target framework to steer your program month by month. These targets are based on average trajectories observed in companies with 50 to 500 employees running monthly simulations.
| Phase | Duration | Click rate target | Reporting rate target |
|---|---|---|---|
| Baseline | Month 1 | Measure the starting point | Measure the baseline |
| Early stage | Months 2-3 | Below 15% | Above 20% |
| Progress | Months 4-6 | Below 8% | Above 40% |
| Maturity | Months 7-12 | Below 3% | Above 60% |
| Excellence | 12+ months | Below 2% | Above 75% |
How to read this table: if your click rate is above the target for your phase, focus your efforts on training and simulations. If your reporting rate is below the target, work on building a reporting culture (reporting plugin, positive feedback, gamification).
Methodology to Go from 16% to Under 2%
Here is a 5-step action plan, tested and validated with SMBs of 50 to 500 employees. Each step builds on the previous one: don't skip steps.
Step 1: Honest Baseline
Launch your first simulation without telling anyone. Use a medium-difficulty scenario (e.g., "Microsoft 365 password update" or "expense report to approve"). This initial number is your reference point: it's the most valuable asset of your program because it will allow you to demonstrate all future progress.
Pitfall to avoid: don't start with a scenario that's too easy just to "reassure." An artificially low baseline is useless and misleading.
Step 2: Quick Wins - The 3 Fundamental Reflexes
Before launching a full program, train your employees on the 3 most basic warning signs:
- Check the sender: the actual email address (not the display name)
- Hover over links: verify the URL before clicking
- Be wary of urgency: any "urgent" request should be verified
A 5-minute micro-module on these 3 reflexes can significantly reduce the click rate. This delivers the best return on investment of the entire program.
Step 3: Simulations with Increasing Difficulty
Run one simulation per month with progressively increasing difficulty:
- Months 1-2: generic phishing (package notification, invoice, expired subscription)
- Months 3-4: contextual phishing (internal company service, daily-use tool)
- Months 5-6: spear phishing (colleague's name, reference to a real project)
- Months 7+: BEC and multi-vector scenarios (email + QR code, fake call + email)
For a full guide on setting up simulations, see our phishing simulation guide for businesses.
Step 4: Targeting Repeat Offenders
After 3 months of simulations, identify the "top 10%": employees who clicked on multiple consecutive simulations. These repeat offenders represent a disproportionate risk and require special attention:
- Automatic reinforced training after each failure
- Additional targeted simulations (biweekly frequency instead of monthly)
- One-on-one meeting with the manager if the behavior persists after 3 failures
According to KnowBe4, targeting the top 10% of repeat offenders reduces the overall click rate by 2 to 3 percentage points: a disproportionate impact relative to the effort invested.
Step 5: Reporting Culture
The final step, and the most important one, is to shift your employees from passive targets to active sensors. In practice:
- 1-click reporting plugin in Gmail or Outlook: reporting must be as easy as clicking
- Immediate feedback: when an employee reports a simulation, display a thank-you message ("This was a simulation. Well done, you have the right reflex!")
- Positive gamification: team rankings (never individual) based on reporting rate, not click rate
- Regular communication: share aggregated results ("This month, 67% of simulations were reported: well done!")
To go further, discover how our AI detection solution analyzes each report to improve protection.
The Reporting Rate: The KPI Everyone Forgets
Why It Matters More Than the Click Rate
A 2% click rate is excellent. But if no employee reports suspicious emails, your company is vulnerable to real phishing that will inevitably bypass technical filters.
The reporting rate measures your employees' ability to detect AND react. An employee who reports a real phishing attempt protects the entire company. An employee who doesn't click but doesn't report either only protects themselves.
Reporting Benchmarks
According to Proofpoint State of the Phish 2025:
- Companies with no program: reporting rate of 5-10%
- Early-stage program (< 6 months): 15-25%
- Mature program (6-12 months): 40-55%
- Excellence program (12+ months): 60-80%
- Best observed benchmark: 92% (200-employee tech company, program active for 3 years)
How to Increase the Reporting Rate
The most effective levers, in order of impact:
- Reduce friction: a "Report" button built into the email client. Each additional click reduces the reporting rate by 10 to 15%.
- Immediate feedback: confirm the report in real time. Employees who receive feedback report 2 times more than those who send an email into the void.
- Public recognition: mention the reporting rate in internal communications. "The finance team reported 85% of simulations this month" is more motivating than "The sales team clicked 12 times."
How to Present These Results to Your Leadership
The Format
Your executive committee doesn't want an Excel spreadsheet with 15 metrics. They want three things:
- One main number: the click rate (with the trend over the last 6 months)
- A benchmark: "We are at 4% vs. 18% industry average"
- An ROI: "The program costs 20,000 EUR/year. The average cost of an incident is 120,000 EUR. Our risk has been reduced by 80%."
The Ideal Report
A one-page monthly report with:
- Click rate for the month + trend curve over 6-12 months
- Reporting rate for the month + trend curve
- Industry benchmark: company position vs. the industry average
- Risk score by department (identify hotspots)
- Next month's actions: planned scenarios, scheduled training
Present this report in a board meeting once per quarter. Email it every month. The goal is to demonstrate that cybersecurity is being actively managed, not passively endured.
Frequently Asked Questions
What is a good phishing click rate?
A good phishing click rate depends on the maturity of your program. Below 5%, you are in a solid range. Below 2%, you have reached excellence. According to KnowBe4 2025 benchmarks, the average across all industries is 18% without training and 4.1% after 12 months of a program. If your rate is above 10%, you have a significant human risk that requires immediate action.
How do I compare my click rate to my industry?
Use the industry benchmark table in this article as a reference. For a more precise comparison, make sure the difficulty of your simulations is comparable to that of the benchmarks (generic, non-personalized phishing). Simulation platforms like nophi.sh provide built-in industry benchmarks that are regularly updated.
Should you aim for a 0% click rate?
No. A 0% click rate means either your simulations are too easy or your employees have learned to recognize your simulation templates (not phishing in general). Aim for below 2% on realistically difficult scenarios. A program that maintains a 1-2% click rate with difficult scenarios is more effective than a program at 0% with basic scenarios.
How do you measure the click rate without biasing the results?
Four rules: never announce the simulation in advance, send emails in staggered batches over 24-48 hours (not all at once), use credible sending domains (not recognizable generic domains), and vary the scenarios to prevent habituation. If your employees say "another phishing test from the IT department," your simulations are too predictable.
What is the difference between click rate and submission rate?
The click rate measures who clicks on the link. The submission rate measures who goes further by entering their credentials on the phishing page. The submission rate is always lower than the click rate (on average 30-50% of clickers submit their credentials). The submission rate is the severity indicator: it measures the employees who would have actually compromised their credentials during a real attack.
Conclusion
The phishing click rate is the starting point, not the destination. It's the most visible and understandable KPI for managing an awareness program. But the true indicator of your company's cyber maturity is the reporting rate: your employees' ability to detect a threat and actively report it.
The benchmarks in this article give you a reference to put your results in context. The 5-step methodology gives you an action plan to improve them. And the phase-based targets give you a realistic timeline to get there.
To demonstrate the ROI of your program to your leadership, see our article on the ROI of cybersecurity awareness. And to choose the right platform, our guide to choosing your solution.
Launch your first benchmarking simulation - compare your results to the benchmarks in your industry.